MariaDB - MyiSAM/Aria Temporary Files Arbitrary File Delete Vulnerability

Active8

Verified User
Joined
Jul 13, 2013
Messages
1,762
Ok DA staff, please update MariaDB in CS ASAP :
@smtalk , @DirectAdmin Support

============================================================

Product: MariaDB
OS: Linux
URL: https://mariadb.org
Type: Arbitrary File Delete (CWE-59)
Vulnerable Version: All versions prior to fixed versions.
Fixed Version: 10.5.7, 10.4.16, 10.3.26, 10.2.35, 10.1.48 CVE Number: *PENDING*
Date: 2020-11-09
Found By: RACK911 Labs

============================================================

Product Description:
--------------------

MariaDB Server is one of the most popular database servers in the world. It’s made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google.

MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. Originally designed as enhanced, drop-in replacement for MySQL, MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.

Vulnerability Description:
--------------------------

MariaDB is vulnerable to an arbitrary file delete vulnerability that allows unprivileged users the ability to corrupt and/or delete files owned by the 'mysql' user including other user databases.

This vulnerability is allowed to happen due to the use of insecure temporary files related to the MyISAM/Aria operations.

In our testing, most hosting control panels that use MariaDB are vulnerable to this exploit. It is incredibly easy to exploit and users are highly recommended to update as soon as possible.

Vendor Contact Timeline:
------------------------

2020-08-23: Vendor contacted via email.
2020-08-24: Vendor confirms vulnerability.
2020-11-04: Vendor issues update(s) resolving vulnerability.
2020-11-09: RACK911 Labs releases public advisory.

Reference(s):
-------------

https://jira.mariadb.org/browse/MDEV-23569
https://mariadb.com/kb/en/mariadb-1057-release-notes/
https://mariadb.com/kb/en/mariadb-10416-release-notes/
https://mariadb.com/kb/en/mariadb-10326-release-notes/
https://mariadb.com/kb/en/mariadb-10235-release-notes/
https://mariadb.com/kb/en/mariadb-10148-release-notes/

About Us:
---------

RACK911 Labs
1110 Palms Airport Drive, Suite 110
Las Vegas, NV 89119
https://www.RACK911Labs.com
 
I'd like to note updates would break any PHP <7.3 immediately due to https://jira.mariadb.org/browse/MDEV-24121. Even if we patch lower versions of PHP to support it - CloudLinux PHP versions would be affected. MariaDB planned to release new versions days ago, but it hasn't happened yet.
 
I'd like to note updates would break any PHP <7.3 immediately due to https://jira.mariadb.org/browse/MDEV-24121. Even if we patch lower versions of PHP to support it - CloudLinux PHP versions would be affected. MariaDB planned to release new versions days ago, but it hasn't happened yet.

I understand why DA is offering the downgrade but can you at least supply the newest versions on files.* so we can manually override the versions.txt and use them? I am trying to use 10.4.16 and it's not here...

Code:
root@srv2:/usr/local/directadmin/custombuild # ./build update_versions
Updating MariaDB.
Downloading             mariadb-10.4.16.tar.gz...
fetch: https://files1.directadmin.com/services/custombuild/mariadb/10.4/10.4.16/mariadb-10.4.16.tar.gz: Not Found
 
mariadb10.5.7 can affect MDEV-24121 too ?
I don't have Dev Server, I can't try it ;( so sadly
==================================
clearly now I just read 10.5.8 note

Notable Changes​

  • Follow up to MDEV-19838to alter protocol checks to support the following implementations (which add garbage to the end of some packets):
    • mysqlnd (from PHP < 7.3) (MDEV-24121)
    • mysql-connector-python (all versions) (MDEV-24134)
    • and mysql-connector-java (all versions)
  • Arbitrary InnoDB buffer pool and data file corruption (MDEV-24096)
 
Last edited:
Back
Top